Submitted by patrick on Fri, 10/01/2010 - 13:51
In my earlier blog post "Using Druapl on shared hosting... Don't" I wrote about why, for security reasons, you should never ever even consider to use shared hosting plans in conjunction with a(ny) content management system. This time, let's talk about motives for attacking webservers and why you should take the risk of a break-in serious, even if your website is just a personal blog or a forum.
In principle, there are three main motivations for breaking into a webserver:
- Monetary gains
- Showing off
- Sabotaging a competitor
Showing off is, of course, just for pleasing one's own ego and therefore only prominent websites face a real risk for this. Hurting a competitor is always a targeted attack, targeted attacks are quite expensive and therefore rare. Even though these two motivations can be combined (think about an ex user of your platform, seeking revenge) it's actually the "monetary gains", you should be worried about.
So, what kind of monetary value could your website offer, even if you don't do things like payment processing there?
Malware distribution
The original motive to write computer viruses was pretty much malicious mischief and a desire to show off. With the rise of the internet, the focus changed, though. Today, malware is written commercially and remote controlled bot nets have become a profitable market niche. Be it mass emailing, distributed denial of service attacks or simply selling traffic to website owners (just think of your marketing potential when you can show advertisers 10k unique visits/day in Google Analytics). There's always a sucker, who'll pay for such services.
Why should this concern you? Well, malware often needs a location from which to download it's payload or updates. Since this cannot be done from a central server (as it would obviously be shut down immediately by the authorities), riding piggy back on compromised hosts is the way to go. The process of compromising webservers is largely automatized nowadays. When I look at my own weblogs, for example, I find that hardly an hour passes by without some crawler scanning my server for vulnerable content management systems that could be used for uploading arbitrary files.
Should the idea of involuntarily hosting malware not scare you, the idea of Google catching you doing it should. Once they do, your site may be dropped from their index.
Identity theft
What value does an email address have? With all those big freemailers like Yahoo, GMX and Gmail around, one might be inclined to say: pretty much none. People register addresses at no cost and throw them away again, as they please. At best, you could make some money from spamming them, right? Well, dead wrong!
Assume you are hosting a forum on your website. This inevitably means building a user database. User databases mean accounts and accounts mean login name, password and email address. Given a large enough audience, what do you think are the odds of at least some of your users recycling passwords?
Think about it: the users email address contains a domain. The mail server of that domain can be looked up via DNS and the SMTP AUTH protocol (or alternatively POP3 or IMAP) allows you to automatically verify whether or not the password, the user uses on your site, also unlocks their email account. When it does, why not check if that email address is also linked to an Ebay, Paypal or Amazon account?
In anticipation of wise guy comments: Yes, I am aware of the fact that most content management systems only store password hashes in their databases to prevent exactly that kind of an attack. I am also aware of the fact that whoever can gain access to the database, can also patch the content management system to hijack the login process.
Backlinks
Finally, the biggest and easiest moneymaker: backlinks. Whoever owns a website knows how hard it is to rank well with search engines. Search engines discover websites by crawling the web for links. The more inbound links you have, the more relevance you collect and therefore the better you rank. The high road for getting backlinks is, of course, to provide quality content, people willingly link to.
The business world, however, lives on the fast lane. When there's a new product to market, waiting a year or two for that product's website to catch momentum is not an option. So, business owners are often willing to pay for a shortcut and are creating opportunity in doing so.
When you have a large website, containing hundreds or even thousands of individual pages, you rarely check all of them if they are still in "mint condition". This is especially true for old blog posts that are buried deep in the archives. Besides not getting much attention from their authors, old pages (or rather: URLs) have the additional benefit of already having collected page rank. This makes them as interesting as valuable to unscrupulous entrepreneurs:
Sneak links into long forgotten articles, whitewash the PR through a network of own blogs and finally sell the link juice to anyone who is willing to do link building through his wallet.
This can effect you negatively in the same way, hosting malware can. Should your unscrupulous entrepreneur oversell his own network, he risks getting dropped from Google's index and you risk a penalty for linking to a bad neighborhood.